The FBI, in a change of policy, is committing to inform state officials if local election systems have been breached, federal officials told The Associated Press.
In the past, the FBI would alert local governments about attacks on their electoral systems without automatically sharing that information with the state. That meant state officials, left in the dark, might be in a position of certifying the accuracy of election results without realizing there had been problems in individual counties. Alerting local governments about breaches, but not the states, was in keeping with FBI policy of protecting the privacy and identities of the actual hacking victim.
The change is intended to bolster federal-state cooperation, which has often been difficult on electoral issues, and is one of several government efforts to rethink how information about cyber threats is shared and with whom. Some local officials in the past have complained about the lack of information from the federal government, though cooperation has improved ahead of the 2020 election with concerns that Russia or another nation could try to tamper with the vote.
The policy change was being shared with state officials on Thursday and was scheduled to be made public later in the day. Senior officials from the FBI and Justice Department described the outlines of it on condition of anonymity ahead of the formal release.
Under the new protocol, the FBI will continue to alert counties victimized by breaches first. A state’s chief election official, in most cases the secretary of state, will be notified either at the same time or soon after.
Officials say their goal is to sound the alarm louder and at higher levels of government than in past years, ensuring that information about efforts to interfere in the election reaches the state officials who need it the most and who have the best resources to deal with it.
That is especially important since federal officials believe Russian agents in 2016 searched for vulnerabilities within election systems in all 50 states.
Though the policy change means that a broader audience of government officials will learn of any intrusion, it does not guarantee that the American public will as well.
FBI officials say they will continue to protect the privacy of individual hacking victims, including governmental offices or local elections systems, by not sharing their identities with the public. It will remain up to electoral officials to disclose if they’ve been hacked, or if they are working with the FBI.
That stance has been a source of contention between federal law enforcement and state and local officials. The public still does not know, for instance, which two Florida counties were breached by Russian agents in 2016 and members of the congressional delegation said they were barred by federal officials from sharing that information following a briefing they attended.
The FBI policy does not cover more routine cyber activity, such as scanning for network vulnerabilities. But it would extend to sophisticated spear-phishing campaigns, aimed at tricking employees into giving up their log-in credentials, and other acts that officials see as particularly alarming and think must be communicated both to the county and the state.
The policy comes two months after the Office of the Director of National Intelligence released a broad framework for how and in what circumstances to notify the public about foreign election interference, laying out general considerations for the government to take into account.
“What I want for the American voting public is that they understand these threats, that they’ve heard about so frequently, that they’ve availed themselves of the resources,” the DNI’s chief election official, Shelby Pierson, said at a conference this week. “It is with the confidence of knowing these threats that they are empowered to participate in the process.”
When it comes to notifying states, one FBI official said there was confusion in the past about who was receiving information and in what circumstances — issues the new policy is meant to address. The official said the policy is meant to ensure that one party does not hear it from the other before hearing it from the federal government.
Some states have moved to address the issue on their own. At least two, Colorado and Iowa, have already implemented policies to compel local officials to notify the state about suspected breaches involving election systems.